Apache for Newbies:

In
part 2 of "Getting More Out Of Apache", the Developer
Shed shows you how to implement basic user authentication and
set up access control groups. It also talks about Apache
logging capabilities and the powerful URL rewriting module.

In
"Linux for Newbies, part 22", Gene Wilburn stresses on
the benefits of compiling Apache and any related modules by
hand. Instructions are given for removing existing Apache and
PHP from one's system before compiling them again from
source. By doing this, users control how the packages are
built and choose the locations for the various parts.

If you prefer to build Apache from source manually, you may
be interested to refer to Apacompile
which basically is a set of instructions and examples for
compiling Apache and other common modules such as
mod_ssl, mod_auth_ldap and
mod_php. There are still some configuration
samples yet to be completed.

Apache on Mac OS X:

The Developer Shed presents step-by-step instructions for
building Apache, MySQL, WebDAV and PHP on Mac OS X. All
these programs compile and run on Mac OS X due to its
BSD-based UNIX core known as Darwin. To avoid
confusion, the Apache Web server built is not enhanced with
mod_ssl.

Noel Davis looks at how to overcome an Apache
on Mac OS X security issue which only involves those who store files
on Mac OS X's HFS+ file system. Three workarounds are available for this
problem.

Kevin Hemenway unravels the mystery of the built-in Apache web server
that comes with Mac OS X in his
first article
of a new series about serving web pages from a Mac. You'll learn how to
start up Apache, access your personal home page, locate Apache's
DocumentRoot, and customise the default web
page. This is just the appetiser - there are more to come in the next
installment when Kevin gets down to the crux of maintaining a
full-fledged web site.

Apache on Windows:

Apache on Windows NT, how does it compare to Apache on UNIX
or other web servers such as IIS? Apache Today has the
answer. Windows users who are interested in using Apache
but are discouraged by the apparent lack of online
information about this topic may like to check this out.

"A Feather in Your NT Cap"
persuades users running Microsoft's Internet Information Server (IIS)
on Windows NT to migrate to Apache on NT. It lists the three limitations
of Apache's ISAPI implementation, describes two main ways of
installation, gives an overview of the configuration, and shows you
how to start Apache as an NT service.

Apache Advanced Configuration:

At WebTechniques.com, Jim Jagielski has a few tips for those who are
providing web-hosting services in "Customer
Number One". He looks at two methods for Apache on how to provide
every customer with dedicated server performance and quality guarantees in
a shared server environment as if he or she is the only customer. The
first uses mod_throttle to control various parameters,
such as the number of requests or the total bandwidth used on a per
server, virtual host, location, directory or user basis. The second allows
CGI scripts to execute under its own user and group ID using suExec. He
also discusses the pros and cons of running multiple instances of Apache
simultaneously.

"Save
Your Site from Spambots" teaches you how to use
mod_rewrite to redirect "spambots", software packages
that crawl the Web harvesting e-mail addresses and adding them to bulk
e-mail lists, to a specific page that has "special" messages just for
them. Since this method uses the content of the User-Agent: HTTP header to
identify the "spambots", it won't prevent "spambots" that masquerade as
other browsers from scraping e-mail addresses from your web site. Other
solutions are presented as well and the one recommended is "spamtraps" -
special addresses that are solely used for catching spammers. The author
concludes that the best way to combat unwanted bulk e-mail is to
immediately report spam to the ISP from which it originates as many times
as it takes until the ISP takes the necessary actions.

The administrators at evolt.org are
"Using Apache to
stop bad robots". In a short article they show how they capture robots
that not only ignore the robots.txt file, but deliberately
try to index files they are told not to.

Morbus Iff develops a "Search
Engine Friendly SSI Image Gallery" in his article on evolt.org.
The article shows how to create a dynamic image gallery, using only
the features built into a core distribution of Apache.

WebmasterBase.com looks at the pros and cons of three methods of passing
information to your web pages without the use of a query string so that
your web site has search
engine-friendly URLs. The methods are the implementation of
PATH_INFO, .htaccess error pages, and the
ForceType directive, and have been tested using PHP with
Apache on Linux but they should also work on other platforms.

Information Security Magazine presents an article on
improving Apache and a
case study on companies that swear by (not at) Apache in
its April issue. It starts off by refuting the mindset that
running Apache guarantees security although it readily admits
that Apache deserves its reputation for being a secure Web
server. Then it provides the steps for installing Apache and
mod_ssl, securing the underlying Linux server,
and testing Web applications for vulnerabilities.

Sys Admin magazine presents Apache::Motd, an
Apache module based on the "Message Of The Day" utility found
on UNIX systems. It intercepts user's initial request and
displays the contents of the motd file before serving the
requested page. Carlos Ramirez, its creator walks us through
the
installation and configuration process.

Linux
Gazette provides three different options to redirect a
request to another virtual host running on the same
webserver. If you want to distinguish yourself from the boys,
the solution is to use mod_rewrite under a
Virtual Host container. It also shows you how to achieve the
same results using a Perl script or the Redirect
directive.

"Apache
CodeRed Countermeasures with PHP: codeRedKiller!" provides a solution
on how to prevent Code Red requests from reaching your Apache Web server by
using PHP and bash. Basically it uses a PHP script to record the source IP
address of the request and then runs a shell script to set up a filter in
your firewall to block any further requests from the same source. You
could use a simple shell script to parse your Apache error log to obtain
the source IP address instead of using PHP. This article also advises you
to ensure that the source IP address is not spoofed. The drawback is that
all other valid requests from the source IP address will be stopped
from reaching your web server permanently until you remove the filter.

Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is not
a new B-grade movie but how you can be a good internet citizen and let
people know that their server has been infected by the Worm. One way
is by using Apache::CodeRed written by Reuven M. Lerner. In
this article,
he explains how the module intercepts requests for
/default.ida, determines the host name of the HTTP client,
sends only one warning e-mail message in a 24-hour period to SecurityFocus
and the administrator of that client, and keeps a list of IP addresses to
be ignored.

Interested in setting up your own Net radio stations? Start
then by reading this
introduction to mod_mp3, a
module that optimises the Apache Web server for streaming
MP3s. Although mod_mp3 is still in its infancy,
it already supports file-sharing and all the basic webcasting
functions, with many more ambitious features in the pipeline.

Apache and Tomcat:

Chris Bush explains the basics of Tomcat configuration and
includes instructions for integrating Tomcat with Apache in
"Linux
as an Application Server - The Tomcat Way". A good read
for those interested in supporting Java Servlet 2.2 and JSP
1.1 with Apache Web Server.

"JSP Quick-Start
Guide" has been updated recently for use with Apache 1.3.22, Tomcat
4.0.1, and mod_webapp which is the new Apache connector
module for Tomcat 4.x. This step-by-step tutorial shows you how to set up
and run a JSP-enabled server under Windows. By the end of this, you'll
have a basic JSP page working smoothly.

This week, it's
Apache and Tomcat again as Robert Eksten shows us how to
set up Tomcat as an Apache add-on using mod_jk
instead of mod_jserv. It is relatively simple as
it only installs prebuilt components and the steps do not
involve compiling source code.

Apache and other applications:

Lawrence Teo explains
how to set up a web-based archive for a mailing list
in Issue 72 of Linux Gazette. He uses Apache as the web server,
Hypermail to convert the e-mail messages stored in a UNIX mailbox file
to a set of cross-referenced HTML files, and cron to update the
web-based archive periodically. He assumes that those three components
have been installed on your system so only the instructions on how to
configure them are provided.

Introduction
to WML, Apache, and PHP is a good starting point for
developing PHP-enhanced WML applications on the Apache Web
Server. Instructions are given on configuring Apache to
accept and serve WML enabled decks. By the end of this, you
will have your first 'simple' wireless page.

PHPBuilder take a look at
"using Webalizer to analyze Apache logs".
Webalizer is a freely available log analysis tool written in C that is
designed for speed; even
on a modest machine it can handle tens of thousands of log lines
a second. However it can
be tricky to get Webalizer installed, so this article takes you
step by step through how to get it installed and running.

"You Can Get There from Here" part
1 and part
2 show you how to install, configure, and use Squirrelmail on your PHP4
enabled Apache web server. For better security, you can run Squirrelmail
on a SSL-enabled Apache web server or implement Apache's basic
authentication.

"You Can Get There from Here, Part 5"
shows you how to install, configure, and use
Rolodap on
your PHP4 enabled Apache web server. You need to compile PHP4 with
LDAP support for this. In case you hadn't guessed it from the name,
Rolodap is an electronic version of the traditional desktop rotary file
of cards, usually used for registering contact information.

Apache Tuning and Benchmarking:

In "Tuning
Your Apache Web Server", Don MacVittie shows us how to configure the
directives in the httpd.conf file to achieve maximum performance. Users
have to ensure that their hardware can support the volume of connections
they are aiming for, before starting with the optimisation. As there are
no hard and fast rules for tweaking the settings, the best configuration
is obtained by trial and error - benchmarking the server after changing
the directives each time.

Ibrahim F. Haddad explains the results he got for testing the performance
of three open-source web servers: Apache, Jigsaw and Tomcat on his
experimental Linux cluster platform. He performs four type of tests, each
with a different server and on 1, 2, 4, 6, 8, 10, and 12 CPU systems but only
presents three comparison cases: Apache 1.3.14 vs. Apache 2.08a on one
CPU, Apache 1.3.14 vs. Apache 2.08a on eight CPUs and Jigsaw 2.0.1
vs. Tomcat 3.1 on one CPU in this report. His conclusion is that Apache is
considerably faster and more stable than the other web servers.

Are your Web servers up to the strain of real-world usage?
"HTTP Benchmarking" describes a sample benchmarking setup
and shows you how to use
httperf and Autobench to
stress-test your systems.

Joe "Zonker" Brockmeier walks you through the process of
setting up and running a few benchmark tests against Apache
using autobench and
httperf in
"HTTP Benchmarking, Part 2". The tests are performed on
both the Debian x86 and SPARC distributions but will apply to
any UNIX-based OS running Apache.

In "HTTP
Benchmarking, Part 3: Tips and Tweaks", Joe "Zonker" Brockmeier shows
you how to tweak the Apache Web server to improve performance. Although he
focuses on Linux systems, some of the tips can be applied on other systems
as well.

In
"Performance Tuning by Tweaking Apache Configuration",
Stas Bekman demonstrates how to fine-tune the
MinSpareServers, MaxSpareServers,
StartServers, MaxClients, and
MaxRequestsPerChild directives to maximise the
usage of your system resources and to ensure good
performance. He uses the ApacheBench (ab) utility to
benchmark the Apache Web server with around ten different
combinations of parameter settings in the tweaking process.

Jeffrey Carl gives a few tips on handy tools to use when
troubleshooting server problems in "The
Web Server First Aid Kit". Its approach can be applied to
most Unix and Linux systems but it occasionally refers
specifically to the Apache Web Server. Some of the problems
it tackles are: figuring out the cause of slow response from
server, unauthorized entry, and network misconfiguration.

Sys Admin magazine describes how to build an affordable
load balancing cluster using the Apache HTTP server and
the Apache JServ Java application server. It also provides
some interesting benchmark test results.

Apache 2.0:

Last November (Apache Week issue
224), we mentioned that APR (Apache Portable Run-time)
has spinned off into a separate project. In
"Aid From APR", Ryan Bloom explains about its advantages
and illustrates his point by comparing a APR segment of code
with the native code.

In CNet Builder.com, it's Ryan Bloom again as he talks about
how Apache 2.0 is more than a web server as it has the
potential to serve
any protocol. He reveals the benefits of using a single
server for multiple protocols and the way to implement it
using Apache 2.0.

Ryan Bloom kicks off a new series of columns about Apache 2.0
for O'Reilly Network readers with his first column -
"Installing Apache 2.0". This piece proves to be merely a
rehash of his previous Apache 2.0 articles except for a
mention of mod_tls.

In
"Migrating from Apache 1.3 to Apache 2.0", Ryan Bloom
shares his experience of porting the apache.org web server to
Apache 2.0 with O'Reilly ONLamp.com's readers. He gives some
tips on which Multiprocessing Module (MPM) to use,
implementing filters, and how to solve the problem of IPv6
support.

O'Reilly ONLamp.com brings you the latest information about filters
for Apache 2.0 in Ryan Bloom's column. This article is just an
introduction to the subject, covering some of the basic concepts of
filtered I/O which is the ability for one module to modify the output of
an earlier module, listing three standard filters included in the basic
Apache distribution, and explaining what filter types are. Meanwhile,
"Writing
Apache 2.0 Output Filters" gives enough information
for a developer to be able to write an output filter from scratch. According to
Ryan, developers have improved the interface over the past few releases so
that the complex task of writing filters becomes easier.

Moving on from output filters, Ryan Bloom explains about writing
input filters in his latest article in the Apache 2.0 series. He
highlights three differences between input and output filters, covers the
ap_get_brigade function, and walks readers through an example
input filter in detail. After reading this, you can start writing your own
input filters.

In Ryan Bloom's swan song for the Apache 2.0 Basics series, he talks about
one
of the least publicised new features in Apache 2.0 which is allowing
one module to call into another module to execute an operation. In Apache
1.3, for two modules to execute the same operation, the feature has to
be implemented in both of the modules, making synchronisation of changes a
tedious task. He uses the mod_include and
mod_cgi modules to illustrate his points.

PHP:

"Learning
PHP: The What's and the Why's" is the first article in a new series
that aspires to teach everything about PHP, beginning with the basics of
PHP to advanced subjects such as databases and XML support. This
introductory piece briefs us on what PHP is, its history, and the reasons
for choosing it over other languages.

Make a trip down memory lane with Rasmus Lerdorf, creator of PHP as he
guides us through PHP's origin, usage, syntax, and features in "Scripting the Web
with PHP". It provides a good overview on all that PHP has to offer
with simple examples that illustrate the concepts clearly. The topics
covered are the four different PHP tag styles, ways to install PHP, how
PHP handles variables and errors, manipulates strings, connects to
relational databases, generates content in formats other than HTML, and
manages session. He advises that the best way to learn PHP is to use it.

While PHP is easy to learn, it is another story when it comes
to getting it right. In his three part article series,
Sterling Hughes imparts some advice on how to prevent 21
common mistakes made by PHP programmers. It is worthwhile to
read through the list of textbook,
serious,
and deadly
mistakes, and give yourself a pat on the back if you have
managed to avoid all of them.

Perl:

Find out more about mod_perl in the first of a series of
updated articles by Stas
Bekman. "Why
mod_perl?" intends to entice you to give it a try by revealing
mod_perl's popularity and presenting a few well-known sites that are
powered by it. Now that you're hooked, you'll be glad to know that it only
takes 30 minutes to get started with mod_perl and here's how to do
it.

Take23 shows us how to use
Apache::PortCorrect (a Perl module) to redirect
users from a nonsecure port over to a secure SSL port based
on the URL that they are trying to access. This article is
for those who are more at home using mod_perl
with the Apache Web Server and mod_ssl than
setting up a set of mod_rewrite rules to perform
the same task.

Stas Bekman talks about improving mod_perl performance. He
starts off with choosing the right operating system and
hardware in
part I, comparing various benchmarking tools in
part II and now in
part III, he continues with code profiling and memory
measurement techniques.

Security:

The administrator at cgisecurity.com looks at some
common
fingerprints used in port 80 exploits with a few examples on how each
attack signature may be implemented. It covers common malicious requests,
commands which may be executed by worms, files which may be requested by
attackers, buffer overflows, and hex encoding. Although it is not meant to
be an exhaustive list, it is sufficient to help web server administrators
identify attack patterns in their logs, and to add the appropriate rules to
their Intrusion Detection Systems (IDS).

In "Freeware
Security Web Tools", Gary Bahadur talks about a few freeware Linux tools
that can be used to perform footprint and vulnerability analysis,
the first
two phases of a web server security assessment. Among the tools mentioned are
Nmap, Netcat (nc), Whisker, Cgichk.pl (a Perl-based scanner), Malice (also a
Perl-based scanner), and Md-webscan.

In "Safer CGI
Scripting", Charles Walker and Larry Bennett cover
methods to fix various CGI scripts vulnerabilities and touch
on developing a CGI security strategy. Although the examples
are written in Perl and C, they can also be applied to the
scripting language of your choice.

In PHP DevCenter, Darrell Brogdon looks at
security issues relating to PHP when running PHP as
either an Apache module or a CGI binary, and the ways to
remedy them.

PHP, a server-side HTML-embedded scripting language, offers web developers
the convenience of generating dynamic page content, and supports a wide range
of databases but PHP programs are vulnerable to security compromises if they
are poorly written.
"On the Security of PHP, Part 1" aims to minimise this risk by offering
some guidelines on secure PHP programming practices. It begins with an
overview of PHP, and then examines some of the most common security issues
with PHP programs.

"On the Security of PHP, Part 2" wraps up this two-parter by showing us how
to secure PHP scripts with a combination of safe programming practices and
PHP settings. It talks about how to use PHP safe mode, how to avoid the risks
posed by files with a .inc extension, how to filter user input, and how to
prevent scripts from changing PHP configuration options.

"Avoiding
security holes when developing an application - Part 6: CGI
scripts" explores a few examples of poorly written Perl scripts
which are vulnerable to security compromises. Before delving into
the code, it gives an overview of how a web server works and
explains about server-side includes (SSIs) for Apache. Perl
developers are advised to use the "warning" option, "taint mode"
option, and to specify "use strict" at the beginning of their Perl
scripts.

In the wake of the Code Red worm, Joe "Zonker" Brockmeier warns Unix and
Linux administrators running the Apache Web Server not to let their guard
down in this tongue-in-cheek but apt piece entitled "Thinking
about Security". I'm sure many of you will find his advice on how to
stop your boss from embarrassing himself useful.

This
feature
brought to you by: Min Min Tsan
Comments or criticisms? Please email us at editors@apacheweek.com